A serious logical vulnerability in a home hotel allows users to log on to any account, resulting in tens of millions of sensitive information leaks (involving basic personal information and Check-in records of any user account, etc)

A serious logical vulnerability in a home hotel allows users to log on to any account, resulting in tens of millions of sensitive information leaks (involving basic personal information and Check-in records of any user account, etc)

The book said the last time: no records of the Goddess's room X were found in the hotel in China, and she was very happy, but she just saw the goddess, and her knees were red and swollen, so I seem to know something. I turned on my computer again, and entered the Goddess's mobile phone number. Let's start this grand plan again from here.

1. Target Website: http://www.homeinns.com/homeinn. register an account number first and use it later;

2. Use your account to retrieve the password and use fiddler to intercept the returned data packet;

3. Enter the verification code you received, and click Next. At this time, all the returned data packets are copied to the blank document for backup;

4. Go back to the password retrieval page, enter the name and mobile phone number of the account you want to log on to, and click "Get Verification Code" (this step is required and I will explain why it is necessary later ), then, enter a six-digit number at will and click Next to intercept the returned data packet. At this time, we will replace the data intercepted in step 1 with the data intercepted, and then release the data packet.

5. At this time, you can jump to the Password Reset page. Here we enter the password we want to change;

6. Click Next to reset the password.

7. Is it over now? Apparently not, because we need to know the user's name and mobile phone number When resetting the password this time, but we do not need to know the user's name when making a move, however, if I do not enter a username or enter an incorrect username, the Verification Code cannot be sent. What should I do?

8. On the page for the first step of password retrieval, we enter the wrong name, the mobile phone number to change the password, the verification code (image verification code), and then intercept the sent data packets, click get mobile phone Verification Code, set the name of the sent data packet to null, and then release the data packet. Now you can find that the server sends the verification code to the mobile phone (ps: make sure that the server sends the verification code to your mobile phone. Otherwise, the password will not be changed even if the subsequent steps are successful );

9. Don't be excited at this time. (important) Click the image verification code to obtain the image verification code again. Then, enter a six-digit number at will, and then follow step 1.

10. OK. We can only obtain sensitive information such as the information of any account's house opening Based on the mobile phone number. We can also write a script to traverse all the phone numbers.

1. Target Website: http://www.homeinns.com/homeinn. register an account number first and use it later;

2. Use your account to retrieve the password and use fiddler to intercept the returned data packet;
 

3. Enter the verification code you received, and click Next. At this time, all the returned data packets are copied to the blank document for backup;

4. Go back to the password retrieval page, enter the name and mobile phone number of the account you want to log on to, and click "Get Verification Code" (this step is required and I will explain why it is necessary later ), then, enter a six-digit number at will and click Next to intercept the returned data packet. At this time, we will replace the data intercepted in step 1 with the data intercepted, and then release the data packet.
 

5. At this time, you can jump to the Password Reset page. Here we enter the password we want to change;
 

6. Click Next to reset the password.
 

7. Is it over now? Apparently not, because we need to know the user's name and mobile phone number When resetting the password this time, but we do not need to know the user's name when making a move, however, if I do not enter a username or enter an incorrect username, the Verification Code cannot be sent. What should I do?
 

8. On the page for the first step of password retrieval, we enter the wrong name, the mobile phone number to change the password, the verification code (image verification code), and then intercept the sent data packets, click get mobile phone Verification Code, set the name of the sent data packet to null, and then release the data packet. Now you can find that the server sends the verification code to the mobile phone (ps: make sure that the server sends the verification code to your mobile phone. Otherwise, the password will not be changed even if the subsequent steps are successful );
 

9. Don't be excited at this time. (important) Click the image verification code to obtain the image verification code again. Then, enter a six-digit number at will, and then follow step 1.

10. OK. We can only obtain sensitive information such as the information of any account's house opening Based on the mobile phone number. We can also write a script to traverse all the phone numbers.
 

 

 

 

Solution:

Add Verification Code Synchronization information or timestamp to important parameters;